Hi All,
I have tried this approach Approach:> " I recommend cranking the interval at which the keys are refreshed to under 20 minutes' time" , but still see this issue where autokey still does not work. can somebody please help me in identifying what's going wrong here. ***************************************** -------------------------------------------------------------- server: start ntp service on server : everything works fine on server rv 0 = c618 ( sync_ntp ) (perfectly sync with its timesource) ------------------------------------------------------- problem is with client:> o/p given below -- client keeps rejecting server and never sysnc with its server peer. ntpq> ass ind assid status conf reach auth condition last_event cnt =========================================================== 1 4167 e011 yes no ok reject mobilize 1 ntpq> rv 4167 flags flags=0x85301 ntpq> rv 4167 associd=4167 status=e011 conf, authenb, auth, sel_reject, 1 event, mobilize, srcadr=server146572n, srcport=123, dstadr=132.184.117.162, dstport=123, leap=00, stratum=5, precision=-10, rootdelay=205.750, rootdisp=236.755, refid=132.186.221.175, reftime=d9741e71.e9570d9c Tue, Aug 11 2015 12:40:41.911, rec=d974578a.a7f973f4 Tue, Aug 11 2015 16:44:18.656, reach=000, unreach=48, hmode=3, pmode=4, hpoll=10, ppoll=10, headway=0, flash=1080 pkt_autokey, peer_unreach, keyid=0x51ab0c7c, offset=0.000, delay=0.000, dispersion=15937.500, jitter=0.000, xleave=0.000, filtdelay= 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00, filtoffset= 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00, filtdisp= 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0, host="server6572N", flags=0x85301, signature="md5WithRSAEncryption" ------------------------------------------------------------------------------ cryptostats o/p i see this in client machine: 57245 36867.663 132.184.117.162 82030098 4167 108 signature_not_verified 57245 37909.680 132.184.117.162 82030098 4167 108 signature_not_verified 57245 37973.661 132.184.117.162 82030098 4167 108 signature_not_verified 57245 38037.697 132.184.117.162 82030098 4167 108 signature_not_verified ---------------------------------------------------------- thanks a lot, Shyam ****************************************** On Wed, Aug 12, 2015 at 7:32 AM, Harlan Stenn <st...@ntp.org> wrote: Autokey is being deprecated. It was good at what it did 20 years ago, but it is no longer usefully secure. Why do you want to use it? If you have good reason to use it, I recommend cranking the interval at which the keys are refreshed to under 20 minutes' time. -- Harlan Stenn <st...@ntp.org> http://networktimefoundation.org - be a member! From: Sowmya Manapragada <skoga...@gmail.com> Date: Tue, Aug 11, 2015 at 11:49 PM Subject: NTP 4.2.8 :"Autokey" problem faced with IFF scheme for client/server pair: Request your inputs To: questions@lists.ntp.org Hi All, Request your help/suggestions on the below problem i am facing, i am relatively new to NTP and request your inputs Problem: I am trying to configure an ntp server/client pair to use the IFF identity scheme I followed the directions precisely that were on the following ntp page:( http://support.ntp.org/bin/view/Support/ConfiguringAutokey) Both machines running on windows-7 /Ntp version: 4.2.8p2. Problem is client never sync's with server and always rejects it( authentication:OK, condition :reject, reach:0) Please see details below ************************************************* server machine:> ************************************************* <server5672N -ntp.conf> restrict default kod nomodify notrap noquery # Authentication statsdir "D:\ntp\stats\" statistics cryptostats filegen cryptostats file cryptostats type none enable server BLRK05A iburst #timesource crypto ident iff crypto pw spassword keysdir "D:\ntp\keys\" **************************************************** server-step-1) #Generate the IFF parameters D:\ntp\keys> ntp-keygen -T -I -p spassword server-step-2) #Export the IFF Group Key D:\ntp\keys> ntp-keygen -e -p spassword #o/p on the console Using OpenSSL version OpenSSL 1.0.1m 19 Mar 2015 Using host server5672N group server5672N Using host key ntpkey_host_server5672N Using host key as sign key Using IFF keys ntpkey_iffkey_server5672N Writing IFF parameters ntpkey_iffpar_server5672N.3648303779 to stdout # ntpkey_iffpar_server5672N.3648303779 # Tue Aug 11 23:13:27 2015 -----BEGIN PRIVATE KEY----- MIG0AgEAMIGpBgcqhkjOOAQBMIGdAkEA20WQMdLTHJlm0aPwiPieUdP4dhodm0w z/ceXzabezyx7odMqJA9GwrPyk1UFkelnmLkeYLZpC8Om0KvDzc5jwIVAPTGF3I0 q5BUZq4ynXezdUaVxjdbAkEAg751a+5ClAQQBrUICA7+gAu4idG6FHPBX64B5Scy mx6kkaTyzAZsv5F2E23AetDBI7OIf6WFeCO3yxbMpQ97PQQDAgEB -----END PRIVATE KEY----- Generating new certificate server5672N RSA-MD5 X509v3 Basic Constraints: critical,CA:TRUE X509v3 Key Usage: digitalSignature,keyCertSign X509v3 Extended Key Usage: trustRoot Create hard link ntpkey_cert_server5672N to ntpkey_RSA-MD5cert_server5672N .3648303779 failed: Cannot create a file when that file already exists. RSA-MD5cert: Unknown error Generating new cert file and link ntpkey_cert_server5672N->ntpkey_RSA-MD5cert_server5672N.3648303779 #end o/p server-step-3) copied the IFFkey text (from above starting with # ntpkey_iffpar_server5672N.3648303779 to -----END PRIVATE KEY-----) and pasted into a editor(notepad). Named this file as ntpkey_iffpar_server5672N.3648303779 copied this file onto client machine into keys dir and created a sim-link(i.e in clientmachine D:ntp\keys> mklink ntpkey_iffpar_server5672N ntpkey_iffpar_server5672N.3648303779) ********************************************************** clientmachine:> ********************************************************** <client-ntp.conf> restrict default kod nomodify notrap nopeer noquery crypto ident iff crypto pw spassword server server5672N autokey iburst #prefer to connect to this source ************************************************************ //client ------------------------------------------------------------ client-step-1) D:\ntp\keys> ntp-keygen -H -p cpassword //Obtain the IFF group key, exported above (in server machine)copy the key file to the keysdir, and create the standard sym-link client-step-2)D:\ntp\keys> mklink ntpkey_iffpar_server5672N ntpkey_iffpar_server5672N.3648213639 **************************************************************************************************************************************************************** Results:> -------------------------------------------------------------- server: start ntp service on server : everything works fine on server rv 0 = c618 ( sync_ntp ) (perfectly sync with its timesource) ------------------------------------------------------- problem is with client:> o/p given below -- client keeps rejecting server and never sysnc with its server peer. ntpq> ass ind assid status conf reach auth condition last_event cnt =========================================================== 1 4167 e011 yes no ok reject mobilize 1 ntpq> rv 4167 flags flags=0x85301 ntpq> rv 4167 associd=4167 status=e011 conf, authenb, auth, sel_reject, 1 event, mobilize, srcadr=server146572n, srcport=123, dstadr=132.184.117.162, dstport=123, leap=00, stratum=5, precision=-10, rootdelay=205.750, rootdisp=236.755, refid=132.186.221.175, reftime=d9741e71.e9570d9c Tue, Aug 11 2015 12:40:41.911, rec=d974578a.a7f973f4 Tue, Aug 11 2015 16:44:18.656, reach=000, unreach=48, hmode=3, pmode=4, hpoll=10, ppoll=10, headway=0, flash=1080 pkt_autokey, peer_unreach, keyid=0x51ab0c7c, offset=0.000, delay=0.000, dispersion=15937.500, jitter=0.000, xleave=0.000, filtdelay= 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00, filtoffset= 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00, filtdisp= 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0, host="server6572N", flags=0x85301, signature="md5WithRSAEncryption" ------------------------------------------------------------------------------ cryptostats o/p i see this in client machine: 57245 36867.663 132.184.117.162 82030098 4167 108 signature_not_verified 57245 37909.680 132.184.117.162 82030098 4167 108 signature_not_verified 57245 37973.661 132.184.117.162 82030098 4167 108 signature_not_verified 57245 38037.697 132.184.117.162 82030098 4167 108 signature_not_verified ---------------------------------------------------------- thanks a lot, Shyam _______________________________________________ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
